ODIN (variant of Locky) Ransomware


How to delete ODIN Ransomware:

  1. Locate the malicious WS or JS file you have opened (it might be on Desktop, in the Downloads folder, or somewhere else).
  2. Delete it.
  3. Open the Registry Editor (tap Win+R and enter regedit.exe in the box).
  4. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  5. Right-click on the Value BackgroundHistoryPath0.
  6. Select Modify and empty the Value data field. Click OK.
  7. Open HKCU\Control Panel\Desktop.
  8. Right-click on the Wallpaper Value.
  9. Repeat the 6th step.
  10. Close the Registry Editor and press Win+E.
  11. Type %Temp%\MicroImageDir into the URL bar.
  12. Delete the file _HOWDO_text.bmp.
  13. Remove three files _HOWDO_text.html,_HOWDO_text.bmp, and _[number]_HOWDO_text.html from Desktop.
  14. Clear your Recycle bin.


(Steven Porter) #2

Nice! Thanks - more of this kind of information will help us build a local reference library

(Will Jeansonne) #3

Muchas gracias, G4nn61t! :wink:

Will Jeansonne
Community Manager

(Edwin Eekelaers) #4

Has anyone who suffered this tried it and got 100% red of It? You could perhaps boot up that machine with a PE build from Windows capable of running powershell and user a purpose built script to lazy your way out.